diff --git a/modules/server/containers/apps/invidious.nix b/modules/server/containers/apps/invidious.nix index b45d387..3d5cccb 100644 --- a/modules/server/containers/apps/invidious.nix +++ b/modules/server/containers/apps/invidious.nix @@ -13,7 +13,6 @@ let tag = pkgs.invidious.version; config = { Entrypoint = [ "${patchedInvidious}/bin/invidious" ]; - Cmd = [ "--config" "/etc/invidious/config.yml" ]; ExposedPorts = { "3000/tcp" = {}; }; }; }; @@ -21,6 +20,10 @@ let in { sops = true; db = true; + paths = [{ + path="${serverCfg.configPath}/invidious"; + mode = "0755"; + }]; containers = { server = builder.mkContainer { @@ -28,48 +31,33 @@ in { imageStream = invidiousImage; port = 3000; secret = name; - extraEnv = { - INVIDIOUS_DATABASE_URL = "postgres://invidious_user:\${DB_PASS}@${builder.host}/invidious_db"; - INVIDIOUS_HMAC_KEY = "\${HMAC_KEY}"; - INVIDIOUS_COMPANION_URL = "http://invidious-companion:8282/companion"; - INVIDIOUS_PO_TOKEN = "\${PO_TOKEN}"; - INVIDIOUS_VISITOR_DATA = "\${VISITOR_DATA}"; - INVIDIOUS_PORT = "3000"; - INVIDIOUS_COMPANION_KEY = "\${INVIDIOUS_KEY}"; - INVIDIOUS_DOMAIN = "${containerCfg.subdomain}.${serverCfg.domain}"; - # INVIDIOUS_CONFIG: | - # channel_threads: 1 - # check_tables: true - # feed_threads: 1 - # hmac_key: 1058f1474503055f8663dd99dbae561b9a5b3f1e - # db: - # dbname: invidious - # user: kemal - # password: xXrmHRHXcZLF2yDhF2ER4LhZ7FDgW5fb - # host: postgres_inv - # port: 5432 - # full_refresh: false - # https_only: true - # domain: yt.helcel.net - # external_port: 80 - # invidious_companion: - # - private_url: "http://invidious-companion:8282/companion" - # invidious_companion_key: "fee4cai" - - # visitor_data: CgtzS3RSVUN - # po_token: MnR6UWTyMu4mYnppjHRmSLk - #registration_enabled: false + overrides = { + Cmd = [ "--config" "/data/config.yml" ]; + volumes = [ + "${serverCfg.configPath}/invidious:/data:ro" + ]; }; }; companion = builder.mkContainer { image = "quay.io/invidious/invidious-companion:latest"; port = 8282; - # - SERVER_SECRET_KEY=fee4caePhoVohjei - # cap_drop: - # - ALL - # security_opt: - # - no-new-privileges:true + secret = name; #SERVER_SECRET_KEY = INVIDIOUS_COMPANION_KEY + extraOptions = [ + "--cap-drop=all" + "--security-opt=no-new-privileges" + ]; }; }; + + setup = { + trigger = "server"; + envFile = [ config.sops.secrets."INVIDIOUS".path config.sops.secrets."CUSTOM".path ]; + script = pkgs.writeShellScript "setup" '' + export DB_HOST=${builder.host} + export INVIDIOUS_DOMAIN=${containerCfg.subdomain}.${serverCfg.domain} + + ${pkgs.gettext}/bin/envsubst < "${../data/invidious/config.yml}" > "${serverCfg.configPath}/invidious/config.yml" + ''; + }; } \ No newline at end of file diff --git a/modules/server/containers/data/invidious/config.yml b/modules/server/containers/data/invidious/config.yml new file mode 100644 index 0000000..d3655d9 --- /dev/null +++ b/modules/server/containers/data/invidious/config.yml @@ -0,0 +1,137 @@ +db: + user: invidious_user + password: $DB_PASSWORD + host: $DB_HOST + port: 5432 + dbname: invidious_db + +#check_tables: false +invidious_companion: + - private_url: "http://immich-companion:8282/companion" + +invidious_companion_key: $SERVER_SECRET_KEY +port: 3000 + +external_port: 443 +host_binding: 0.0.0.0 +domain: $INVIDIOUS_DOMAIN +https_only: true +#hsts: true + +## Accepted values: true, false, dash, livestreams, downloads, local +#disable_proxy: false +# use_innertube_for_captions: false + +# ----------------------------- +# Features +# ----------------------------- + +popular_enabled: flase +statistics_enabled: true +registration_enabled: true +login_enabled: true +captcha_enabled: false +admins: ["$DEFAULT_ADMIN_EMAIL"] +enable_user_notifications: false + +# ----------------------------- +# Background jobs +# ----------------------------- + +channel_threads: 1 +#channel_refresh_interval: 30m + +full_refresh: false +feed_threads: 1 + +jobs: + clear_expired_items: + enable: true + refresh_channels: + enable: true + refresh_feeds: + enable: true + +# ----------------------------- +# Miscellaneous +# ----------------------------- + +#banner: +use_pubsub_feeds: true + +hmac_key: $HMAC_KEY +#dmca_content: +#cache_annotations: false +#modified_source_code_url: "" +#playlist_length_limit: 500 + +######################################### +# +# Default user preferences +# +######################################### + +default_user_preferences: + # ----------------------------- + # Internationalization + # ----------------------------- + + #locale: en-US + #region: US + ## Top 3 preferred languages for video captions. + #captions: ["", "", ""] + + # ----------------------------- + # Interface + # ----------------------------- + + dark_mode: "auto" + #thin_mode: false + feed_menu: ["Subscriptions", "Playlists"] + default_home: Subscriptions + #max_results: 40 + #annotations: false + #annotations_subscribed: false + #comments: ["youtube", ""] + #player_style: invidious + #related_videos: true + + # ----------------------------- + # Video player behavior + # ----------------------------- + + #preload: true + #autoplay: false + #continue: false + #continue_autoplay: true + #listen: false + #video_loop: false + + # ----------------------------- + # Video playback settings + # ----------------------------- + + #quality: dash + #quality_dash: auto + #speed: 1.0 + #volume: 100 + #vr_mode: true + save_player_pos: true + + # ----------------------------- + # Subscription feed + # ----------------------------- + + #latest_only: false + #notifications_only: false + unseen_only: true + #sort: published + + # ----------------------------- + # Miscellaneous + # ----------------------------- + + #local: false + show_nick: false + #automatic_instance_redirect: false + #extend_desc: false diff --git a/modules/server/sops/server.yaml b/modules/server/sops/server.yaml index 7b37ee4..21ae85a 100644 --- a/modules/server/sops/server.yaml +++ b/modules/server/sops/server.yaml @@ -8,7 +8,8 @@ ETHERCALC: ENC[AES256_GCM,data:0ScnDsUNBt6wYJC4hTXn8huuTptBTDKZV4yFVQ4fuBWc6auWN GITEA: ENC[AES256_GCM,data:TGsye52g8DVOk51o1dWfF6x3m6BFPe0MtUbOayxYejaYSZ4cDCfx02EPAhiL3FJGLfidZt7+WpjhVqJvFeCvJ1OXdYMQyuL3akPBCmEjmBgBhJvEjVtVgV3aNMS21gy3o0RG/MXDXOLpjHeaXn3G/XWKsv5bw+gg94bDirOguLC5eaFxddn5/UGFvfwXzDmkoNmc9zufGvVpUkRy8rju/TjOz4Q5GZk1gXWtJWdkTGhuVYVBDDHIQq9DBS0qXi8tP3FvY8prOi/c5ZbyyZjTOgNpWB9uU4HkHz4aUTMFIrPFwUeWmNMIdyUmarSQ7tDDdhBfIiLhb94jaMATHq+PfwwpCcmiTfBEG3OS/3SXPMWg6jhfUxvxsKNT2HQca31B9IRqlitaio3r6KEPBTYh2nWtFO9d5Is7TUWkGsOaV+0JSiNPNh5uD7kNyBxsKUKcND7JXMxW/TZOqARY64x6IwDrbcypsyMW5i+4Er1/0HCvZ7FBH1XkTul8vBGF5ZGD/tYp/m6Ld26GKYkj967eYIwlNFcOMGNue5PyJfFCq0qWbLWO9dFA9c2e9r81DCD8y/0S3Ts7X7TkXVGShm7JoMqb8dzg9i6CoNlmbPAM5GwoNV3ftQugvqEGMk5UIvf05YsgSNvq4UJbhsT4bZqpV0plnxYD5TswCGF/XQ3nwwFTudmf1OLcgYwM2NckbVui128o1Rw=,iv:vo6l0QirLIUvwLN675LYkffkXejJecvBesLJvoW/bjY=,tag:zyLyiCskF84A3QVoq5X3iw==,type:str] SEARXNG: ENC[AES256_GCM,data:gtKhEmMemzLRl4c3cYhMAQ+5vUth1IhWQeLvW1YtaG5TbhQHBR4PDREQOlGt+tlfGQrft+FeNhMSN/SKOp8gmScVWa+9qmltzxRGRpLm3m/VuBZvOlGdeUcKAX8zEH6A,iv:B2UEtjTRIjT6W+tH2gtcl6XMvZNgbvZUXTiBePGOu24=,tag:SHIF6eaWBLwy9RrEy1N9kg==,type:str] UMAMI: ENC[AES256_GCM,data:onB/uXLajaRLmeQMGNHFsjREzPih9ha+cogGRw+nRomERSRrbBv+6gCqEr8F3Dcm818JB4jGRYKoIYG8Jl6gMDaz5QQiA4qAnbG19LuzVeVUgz4NGEgXBULoT/0sQacnyAPIfPEp+ESWRQH81nO6Qcs+rICpS2Xfeye5hb+8rSAxmLpY991AJ3+avGyMwPcpfNCkixWt68KuG5ZN/IGDksM/sSLGgyMisClbEdhigq4mwibOxpiWjcKk/17xYgY6Xz93h/yloHKZIZZpnyA+85YC6oNWgCPhkGIAVu3dGshp10a0nk1A2INm6vxNPbfUjYLkt3zDAPZtoBRCqUs+43Eh62hYgajgWCQJhjJkDgF4Y1ifGfDerIXs/cDpIKLt2+7VqM6/ouqIDPJ7khSAr+8bcHU4CKDtsDagob5PpCG4ABt44cg9cGw=,iv:HD450JZuWn2+V0pvOsDHy9oVAanFMf1el9LA1z0PULY=,tag:p7Vl7dtM8UdAUNgmdG+7cg==,type:str] -IMMICH: ENC[AES256_GCM,data:wdco0KjuX7+YA2c691dZr/a6lLL8SZgJXraACNMSptOd376C5jBKmd06O5QOqjOam4IEAdg/enhO2W4AZQCmi78BIpKc8QRgzBGSYWSBeKJABfcu8ShMuzdNgPTQico+T0WnsGDel48WVIzhcHxMGioU65Ss8Kl37veP8QY1mhLfiCTOmF7y1ibMR2+P5vw7r8FVvJ1Wb9MxguG8rOHXVHDUd3kHSX98UiD54na8kkVK47xpvrVGBljtIyaAlyOJ3TRcacBQzj0C3e3xZ7onRhQtsdXpzpemjow3pIxjOEOtJgELwE64CsAgLN2cjZW4yJos4NkWV5chjbn2ff4CUFB0,iv:iwFetLUxxZuOkZ6CuGtQ0ZLu1CUx2ydAuTWcMRA8vgA=,tag:Bi68rYmsaSCie+olHPxi5A==,type:str] +IMMICH: ENC[AES256_GCM,data:1y78yeawkRjUXLWPyFdMB5HCDQhb1PoxEMfHmKSZfv0CWloOrQWT735dlH+W9yC6ljZjqVD9Fwq/9GqqKQMTFMCpr8wVRwSHEuqmaG3UgKzbLA3aWZ1SIB0AiJi+eUunzHj2vikUJx9dMRjC+iNXrsVWh2HqMrOyFCWetZoIfxNiAgsgNKPgYYsHLv6OAZs9XT7V3veqe0zc0nyw7ghWSXne/yNhQESyyGlMAdagrJRNimvXIp/AoAUKl2WUJm2MBl7lb6K1YeJ1XW8OjAHzV8isBiUwU8ZD81VJog0fgTGjbUa+HO7jEo+9YwmDIMx3f5z9N4A=,iv:pboITW2rr7+w8VNZM6uYMMEFZ1S/JtqjNOVthpYJ2tQ=,tag:0dgrJ191sB4MLJHMoQBlCg==,type:str] +INVIDIOUS: ENC[AES256_GCM,data:xS3iC5ChHrvG8Fefj6FhfUqTet9kPVnCHi6GZIKpGETm4+DdQgd7SpidCuPcB1G/jBGsVBae6gkX+lXXW7SHygWutdhcHoJQCBL3ydHih4dLibwdWlZZIKuA1aPTxb6WdU7oVpECA/5sT6rjD7a15tqzH6YEhzi62ZFXIMM3sQ==,iv:i2ITWEjbyP0EWWED5F+Wt18Prvu3AsH6fsFiOECLIxU=,tag:kZ6wTuFKTHArr/IkLDLPPA==,type:str] SERVARR: ENC[AES256_GCM,data:fukF7bejebMU7yp48fix,iv:CZkLyO8N8BqSk+0KDcMDrz1pbwaNH7Pg+NvNebdIdYM=,tag:AOMvnZOE0H6QDCmkPg3Kyw==,type:str] sops: age: @@ -30,8 +31,8 @@ sops: S1NaTVFTL0FCdm1EQmRsUnlhclZNZlEKEgIe60qkvY8+UocjQU+WM2dTL/1y3Kqk d4RrlLP9NSozwVsPYI4ntygvMSApbT4v0YvoO7gV90lkGWEvW1YDfA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-05-15T00:19:30Z" - mac: ENC[AES256_GCM,data:1O2Eh2X0cflggl9CHzOS3HuCXMZnpUps9NA1kZBm0tqsPSBPqw66z+K05TbeNXCa0ctWcDM0RuCSIsmxUAsJRu89VyAQhnzdQcC/udIi47ETkwo2uHaiI6jgDIyD2pALz8drpnnSsYTVX3loS8yqh7gE4qCEGzM/GYFJqDRoba4=,iv:jl5SzOGOu3z79VzSpRiEy8yeU9E+C2NZXfKqPtcl7qE=,tag:Q6YCTJZuxWHFoAapuLJoaw==,type:str] + lastmodified: "2026-05-15T13:37:56Z" + mac: ENC[AES256_GCM,data:PRlEzz5dgZekocWtytc3tO/o20dCR1h02HgIPSld/LDBpFJ0iaiPSSiPvBeR2aZ+DFZQeDaL8UacLHbOg1+r0y5jOpYXkFPC4khYiESlbctrgV1mYYI2gAKQd6idJB+GH7dP0E+aJEzeau8MNCaPfPUa0OWC/2Wf+6Z2o7hGmAY=,iv:hzwIZtzasrlEcQy853iWim5ahIXNVAAubZoVXcyRnpw=,tag:02AX9i/jIgixrb7iOijevw==,type:str] pgp: - created_at: "2026-05-05T23:46:27Z" enc: |- diff --git a/systems/sandbox/cfg.nix b/systems/sandbox/cfg.nix index 4998bfb..fdbf1fa 100644 --- a/systems/sandbox/cfg.nix +++ b/systems/sandbox/cfg.nix @@ -45,7 +45,7 @@ ethercalc.subdomain = "calc"; immich.subdomain = "pic"; # ===== FLIX ===== - # invidious.subdomain = "yt"; + invidious.subdomain = "yt"; jellyfin.subdomain = "flix"; # servarr.subdomain = "arr"; transmission = {